CVE-2020-24346 – CVE-2020-24346 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-24346?

CVE-2020-24346 has a CVSS score of 7.8 (HIGH). CVE-2020-24346 is a use-after-free vulnerability in njs (NGINX JavaScript) through version 0.4.3 that allows attackers to potentially execute arbitrary code or cause denial of service. It affects NGINX deployments using njs for JSON parsing. The vulnerability occurs when processing malformed JSON data.

📋 TL;DR

CVE-2020-24346 is a use-after-free vulnerability in njs (NGINX JavaScript) through version 0.4.3 that allows attackers to potentially execute arbitrary code or cause denial of service. It affects NGINX deployments using njs for JSON parsing. The vulnerability occurs when processing malformed JSON data.

💻 Affected Systems

Products:

NGINX with njs module
NetApp products using vulnerable njs

Versions: njs versions through 0.4.3

Operating Systems: All platforms running affected njs

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when njs module is enabled and processing JSON data. Default NGINX installations without njs are not affected.

📦 What is this software?

Njs by F5

View all CVEs affecting Njs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing NGINX worker crashes and service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges.

🌐 Internet-Facing: HIGH - NGINX is commonly internet-facing and processes untrusted JSON data.

🏢 Internal Only: MEDIUM - Still significant if internal applications process untrusted JSON.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept available in GitHub issue. Exploitation requires sending malformed JSON to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: njs 0.4.4 and later

Vendor Advisory: https://github.com/nginx/njs/issues/325

Restart Required: Yes

Instructions:

1. Update njs to version 0.4.4 or later. 2. Recompile NGINX with updated njs module. 3. Restart NGINX service. 4. Verify version with 'njs -v'.

🔧 Temporary Workarounds

Disable njs JSON parsing

all

Temporarily disable njs JSON processing if not required

Comment out or remove njs_json directives in NGINX configuration

Input validation

all

Implement strict JSON validation before njs processing

Add validation layer in application code or NGINX lua module

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Deploy WAF rules to block malformed JSON payloads

🔍 How to Verify

Check if Vulnerable:

Check njs version with 'njs -v' or examine NGINX configuration for njs module usage

Check Version:

njs -v

Verify Fix Applied:

Confirm njs version is 0.4.4+ with 'njs -v' and test JSON processing functionality

📡 Detection & Monitoring

Log Indicators:

NGINX worker crashes
Segmentation fault errors in logs
Unusual JSON payloads in access logs

Network Indicators:

Malformed JSON requests to NGINX endpoints
Repeated connection attempts with invalid JSON

SIEM Query:

source="nginx" AND ("segmentation fault" OR "worker process" AND exit)

📊 Metadata

CVE ID: CVE-2020-24346

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 13, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/nginx/njs/issues/325 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200918-0001/ Third Party Advisory
https://github.com/nginx/njs/issues/325 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200918-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24346, you might also want to check these: